Dunno how important it is, but thought you'd like to know. I have XML sitemap installed on Drupal 7.28. XML sitemap custom, engines, node and taxonomy modules are enabled, internationalization, menu and user modules are disabled. I got this warning logged when someone with IP 5.255.253.74 (seems to be an image bot belonging to the search engine Yandex) accessed my site's sitemap.xml:

I tried to reproduce it by deleting cookies and going to sitemap.xml but had no luck. Maybe you'll eventually find a related issue or something and will be able to fix whatever caused this warning to appear.

Update: Got the same error with Google bot and Google bot simulator. So it's no random fluke but a full-blown reproducible bug. I'm increasing the priority from minor to normal. Please see what you can do about it.

@Ari Linn: is that Google bot simulator still giving you those errors? I just tried it on a site, and it did not produce the error for me. Being able to reproduce the problem makes it more likely to be found and fixed.

I work on a site that was logging the same warnings. It took a while, but I was able to track down at least one possible cause of the issue. It turns out that another module was adding session variables within hook_boot().

The session variables cause a problem because XML sitemap has already begun sending output within xmlsitemap_file_transfer(). When xmlsitemap_file_transfer() subsequently calls drupal_exit(), the session variables eventually cause a session to be started within drupal_session_commit(). But since the headers have already been sent, the warning is logged.

I'm probably going to raise this topic from the dead by posting, buuuut I finally got to debug my code. No, as far as I can see this bug can't be replicated with just a clean Drupal install and Xmlsitemap. However, it's very easy to mess the xmlsitemap_file_transfer() function with as simple a thing as a cookie. This is exactly my case. I have a module that sets a cookie in hook_init():

Create a module that sets a cookie in hook_init(), clean up your browser's cookies, try to access sitemap.xml and you'll be greeted with a nice and cute "Headers already sent" warning in your log. The mymodule_init() code works correctly on all generated pages generated by Drupal except sitemap.xml that calls xmlsitemap_file_transfer() that messes the output up. I'm not sure if Xmlsitemap should be the only one to blame for this, but IMO a module shouldn't complain about as trivial things as other module's cookies.

Update: tested both solutions offered here: unset($_SESSION) after closing the file in xmlsitemap_file_transfer() and using plain exit() instead of drupal_exit(). In my case, only the latter worked. The former generated 3 different warnings per request: Cannot modify header information, Cannot send session cookie, Failed to flush buffer, no buffer to flush.